NCUAs Proposed Rule and Guidance on Response Programs for Unauthorized Access to Member Information

The Credit Union National Association (CUNA) appreciates the opportunity to comment on NCUAs proposed rule and guidance on response programs for unauthorized access to member information. The proposed rule will require that the credit unions already existing security program must now address how the credit union will respond to incidents of unauthorized access to member information, and the guidance contains details of what should be included in these response programs. CUNA represents more than 90% of our nations nearly 10,000 state and federal credit unions. This letter reflects the views of our member credit unions and of CUNA's Consumer Protection Subcommittee, chaired by Mr. Kris Mecham, CEO of Deseret First Credit Union, Salt Lake City, Utah.

Summary of CUNAs Position

There is no need for a credit union to notify NCUA or the state regulator when it becomes aware of an
incident involving unauthorized access or use of member information that could result in substantial harm or
inconvenience to its members. The notice to NCUA or the state regulator will not affect the credit unions
efforts in working with law enforcement, and there is no indication that the regulator will be prepared to
provide assistance in addressing the problems outlined in the notice.

The provisions in the guidance with regard to monitoring accounts should be changed. The guidance should
give credit unions the flexibility to determine if account monitoring is unnecessary or not feasible, in which
case the credit union will notify and provide options to the member in order to resolve the problem.

The guidance contemplates that notice should be provided when there is an incident of unauthorized access to
or use of member information that could result in substantial harm or inconvenience to a member. We believe
there will be confusion as to how much "inconvenience" needs to be caused to the member before a notice should be
issued, which may lead to notices being issued when there is only "mere" inconvenience, especially for credit
unions that may choose to be especially cautious. We believe the "inconvenience" language is unnecessary and
will lead to the issuance of excessive notices.

The guidance should recognize that in certain situations notice to members should either be delayed or not
provided at all. An example may be when law enforcement may not want the notice delivered as it may alert the
perpetrators that they are being investigated or because there is suspicion that the accountholder may be
involved in the fraud.

To help alleviate the burden with regard to the notices, we encourage NCUA to develop a sample notice that
credit unions may use.

We strongly urge NCUA to allow a reasonable time period for credit unions to comply with the rule and
implement the guidance. We suggest an effective date of at least one year after the rule and guidance are issued
in final form in order to provide credit unions with adequate time to fully implement their response elements
into their security programs.

General Comments

The proposed rule is rather brief and requires that the credit unions already existing security program must
now address how the credit union will respond to incidents of unauthorized access to or use of member information
that could result in substantial harm or serious inconvenience to a member. It is the guidance that accompanies
this rule that contains the details of what should be included in these response programs.

We commend NCUA for this effort in providing the substantive details of this proposal in the form of guidance
for the benefit of credit unions with regard to identity theft, as opposed to imposing extensive regulatory
mandates. The guidance should help credit unions in their efforts to address the increasing number of breaches
of member information that has resulted in the rapid escalation of identity theft over the past several years.

We also commend NCUA for other initiatives in this area. For example, the recent NCUA technology examinations
have been beneficial in providing credit unions with useful information about technology issues with regard to
security.

The problem of identity theft is not just a problem caused by lack of security at financial institutions. The
problem arises for a number of other reasons, such as inadvertent disclosure by the consumer, whether it is due
to identity thieves pilfering through mailboxes, lack of shredding of personal information by consumers, or other
similar situations. These other scenarios outside the control of the financial institution are precisely the
reasons we believe it is important that significant details of the proposal remain in the form of guidance, as
opposed to regulatory mandates.

Although the guidance is helpful overall, we do have suggestions for improvements to provide additional
flexibility as credit unions continue to address the critical problem of identity theft.

Notice to Regulators

The proposed guidance outlines four major components that should be included in the credit unions response
program. One of the components is a suggestion that the credit union should notify NCUA or the state regulator
when it becomes aware of an incident involving unauthorized access or use of member information that could result
in substantial harm or inconvenience to its members.

Although we certainly agree that communication with law enforcement is very important in these situations, we
question the necessity of the need to also provide notice to NCUA or the state regulator. Notification to law
enforcement should be sufficient, including the filing of a Suspicious Activity Report (SAR), as required under
NCUA SAR rules, which is specifically noted in the guidance.

Additional notification to the regulator is not warranted, and we do not understand the need or the use that
the regulator would have with regard to the information that it received. There is the additional concern that
the information may be used to the detriment of a credit union that files a significant number of these notices,
such as raising an unnecessary concern about a credit unions safety and soundness to the extent that it has a
detrimental affect on a future examination and CAMEL rating.

Credit unions are also concerned that, although the information in the notices may be protected, the fact that
a credit union filed notices and the number of notices filed by that credit union will be public information that
can be obtained under the Freedom of Information Act. A specific concern here is that the credit unions bonding
agent will use this information to lower the credit unions bond rating.

Therefore, from the credit union perspective, notice to NCUA or the state regulator will not affect the credit
unions efforts in working with law enforcement, and there is no indication that the regulator will be prepared
to provide assistance in addressing the problems outlined in the notice. There is only the concern that
providing the notices will be used to the detriment of the credit union. There is also a concern as to what
should be included in these notices, as the guidance does not specify the extent and content of the information
that would need to be provided.

Corrective Measures

Another component of the response program refers to corrective actions that should be taken by the credit
union when there is unauthorized use or access of member information. The two corrective measures outlined in
the guidance are: 1) identifying and monitoring the affected accounts; and 2) securing accounts.

We believe the provisions in the guidance with regard to monitoring accounts should be changed. The proposed
guidance suggests monitoring the accounts even if misuse of the information may not occur, in which case notice
to the member would not even be necessary. Many member have multiple accounts and to monitor so many accounts,
especially if the exact sensitive member information that was accessed could not be affirmatively identified as
belonging to a particular set of member accounts, would be extremely burdensome and would require excessive
employee time and effort that may not be immediately available. This would be compounded since the guidance
provides little information about what "monitoring" may entail or how long a credit union should monitor the
affected accounts.

The guidance should give credit unions more flexibility to determine if account monitoring is unnecessary or
not feasible. In these situations, the guidance should simply suggest that the credit union: 1) notify affected
members of the security breach; and 2) provide those members with options to ensure that their accounts are
secured. This could include placing special passwords on the account or changing the account number. The
credit union should be allowed to develop their own internal procedures detailing the options it will provide to
members in these situations, which may be in lieu of or in addition to account monitoring. The notices to
members can also be used to remind members of the many options they have to verify their account activity and the
need for members to monitor their own account activity.

NCUA requested comment on whether the term "securing accounts" is sufficiently clear to enable credit unions
to know what is expected of them. We believe the term is sufficiently clear. Credit unions are familiar with
the options available to them with regard to securing accounts and will know the best way to do so, based on the
circumstances with regard to the breach of the information.

Notices to Members

Although credit unions generally support the need to provide notices to members in certain situations when
sensitive member information has been compromised, there is a concern that such notices may have unattended
consequences. For example, certain members who receive notices may, for whatever reason, publicize that they
have received them. This may result in adverse publicity for the credit union, possibly to the extent that it
may cause significant panic that could lead to a run on the credit union. Although we hope that this will never
occur, we do have suggestions with regard to the member notice provisions that may help to alleviate these
concerns.

The guidance contemplates that notice should be provided when there is an incident of unauthorized access to
or use of member information that could result in substantial harm or inconvenience to a member. We believe
there will be confusion as to how much "inconvenience" needs to be caused to the member before a notice should be
issued, which may lead to notices being issued when there is only "mere" inconvenience, especially for credit
unions that may choose to be especially cautious.

To alleviate this concern, and to possibly reduce unnecessary notices, we suggest that the term
"inconvenience" be removed. In addition to causing confusion and additional notices, we believe that
inconvenience that rises to the level of "substantial" or "serious" can certainly be considered a "substantial
harm," which is already incorporated in the standard for providing member notice.

The guidance states that the notice should be provided in a "timely" manner. We believe that this should be
interpreted so that credit unions can take into account certain practicalities that may lead to delay in the
delivery of these notices. Perhaps this provision should be amended to suggest that the notice be provided
within a reasonable time after the credit union, taking into account all circumstances, determines that a notice
would be appropriate.

The guidance should recognize that in certain situations notice to members should either be delayed or not
provided at all. An example would be when law enforcement may not want the notice delivered as it may alert the
perpetrators that they are being investigated or because there is suspicion that the accountholder is involved in
the fraud. Credit unions may also want to delay delivering notices in order to collect more information so that
they can then provide better guidance to the members as to what course of action should be taken.

In the situations in which the request to delay or not deliver the notices originates from law enforcement, we
also suggest that credit unions be permitted to require that such requests be clear and in writing. This should
avoid possible confusion or accusations that the notice was not properly provided to the member.

The guidance suggests that credit unions should notify affected members when it becomes aware of unauthorized
access to "sensitive member information." We support the flexibility as this will provide credit unions with the
option as to whether to notify members about security breaches involving less "sensitive" information.

We believe the term "sensitive member information" should also specifically include the members date of
birth, along with a personal identifier. Many credit unions commonly use this information to identify members.
However, we believe the term "sensitive member information" should specifically exclude encrypted information,
since information in this form is unlikely to be misused. This suggested modification should also encourage
credit unions to continue efforts to encrypt sensitive information as a means to avoid the need to send notices
to members.

Credit unions appreciate the examples provided in the guidance regarding situations in which notices to
members should or should not be provided and the flexibility that credit unions have to determine whether notice
to members is necessary. They also recognize that the examples are not inclusive, and may change over time, and
that other situations will arise in the future that are not currently contemplated.

However, under the guidance, notice does not have to be given if an "appropriate investigation" concludes that
misuse of the information is unlikely to occur. Credit unions would appreciate any additional examples that
would help clarify the term "appropriate investigation," as well as any other additional examples that could be
included in this non-inclusive list.

To help alleviate the burden with regard to the notices, we encourage NCUA to develop a sample notice that
credit unions may use. Much of the content is general information, such as contact numbers and addresses for
credit reporting agencies and identity theft information that is available on the Federal Trade Commissions
website. This type of general information would lend itself easily to a standardized format. NCUA should
consider any credit union using the sample notice to be in compliance with these provisions of the guidance, but
this should also not preclude credit unions from developing their own notices.

Service Providers

Contracts with service providers will need a clause that requires them to notify their clients when there is
unauthorized access to member information. Credit unions are concerned as to how to require or enforce such a
clause, other than to take their business elsewhere when the contract expires. Credit unions are optimistic,
however, that vendors will be cooperative as credit unions and the general marketplace insist that such clauses
be inserted, although we caution that this will take time.

Need to Delay Implementation of the Guidance

We strongly urge NCUA to allow a reasonable time period for credit unions to comply with the rule and
implement the guidance. The need to modify contracts with service providers, as described above, will take time.
Also, to the extent currently proposed, the need to monitor accounts will require credit unions to engage in
extensive employee training and possible data processing modifications. We suggest an effective date of at least
one year after the rule and guidance are issued in final form in order to provide credit unions with adequate
time to fully implement their response elements into their security programs.

Thank you for the opportunity to comment on NCUAs proposed rule and guidance on response programs for
unauthorized access to member information. If Board members or agency staff have questions about our comments,
please give Associate General Counsel Mary Dunn or me a call at (800) 356-9655.